From mboxrd@z Thu Jan 1 00:00:00 1970 From: git@ipfire.org To: ipfire-scm@lists.ipfire.org Subject: [git.ipfire.org] IPFire 2.x development tree branch, master, updated. 9ffd1b35db13760ceab2b396230fbc40fa03caec Date: Thu, 19 Mar 2015 15:15:11 +0100 Message-ID: <20150319141511.9098C22065@argus.ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7465867351732701131==" List-Id: --===============7465867351732701131== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree". The branch, master has been updated via 9ffd1b35db13760ceab2b396230fbc40fa03caec (commit) from 102825b673eaed53e2e07eda75b2341f42e479d7 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 9ffd1b35db13760ceab2b396230fbc40fa03caec Author: Michael Tremer Date: Thu Mar 19 15:13:07 2015 +0100 openssl: Update to version 1.0.1m and 0.9.8zf =20 http://openssl.org/news/secadv_20150319.txt =20 OpenSSL Security Advisory [19 Mar 2015] =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =20 OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291) =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D =20 Severity: High =20 If a client connects to an OpenSSL 1.0.2 server and renegotiates with an invalid signature algorithms extension a NULL pointer dereference will oc= cur. This can be exploited in a DoS attack against the server. =20 This issue affects OpenSSL version: 1.0.2 =20 OpenSSL 1.0.2 users should upgrade to 1.0.2a. =20 This issue was was reported to OpenSSL on 26th February 2015 by David Ram= os of Stanford University. The fix was developed by Stephen Henson and Matt Caswell of the OpenSSL development team. =20 Reclassified: RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-02= 04) =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D =20 Severity: High =20 This security issue was previously announced by the OpenSSL project and classified as "low" severity. This severity rating has now been changed to "high". =20 This was classified low because it was originally thought that server RSA export ciphersuite support was rare: a client was only vulnerable to a MI= TM attack against a server which supports an RSA export ciphersuite. Recent studies have shown that RSA export ciphersuites support is far more commo= n. =20 This issue affects OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8. =20 OpenSSL 1.0.1 users should upgrade to 1.0.1k. OpenSSL 1.0.0 users should upgrade to 1.0.0p. OpenSSL 0.9.8 users should upgrade to 0.9.8zd. =20 This issue was reported to OpenSSL on 22nd October 2014 by Karthikeyan Bhargavan of the PROSECCO team at INRIA. The fix was developed by Stephen Henson of the OpenSSL core team. It was previously announced in the OpenS= SL security advisory on 8th January 2015. =20 Multiblock corrupted pointer (CVE-2015-0290) =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =20 Severity: Moderate =20 OpenSSL 1.0.2 introduced the "multiblock" performance improvement. This f= eature only applies on 64 bit x86 architecture platforms that support AES NI instructions. A defect in the implementation of "multiblock" can cause Op= enSSL's internal write buffer to become incorrectly set to NULL when using non-bl= ocking IO. Typically, when the user application is using a socket BIO for writin= g, this will only result in a failed connection. However if some other BIO is use= d then it is likely that a segmentation fault will be triggered, thus enabling a potential DoS attack. =20 This issue affects OpenSSL version: 1.0.2 =20 OpenSSL 1.0.2 users should upgrade to 1.0.2a. =20 This issue was reported to OpenSSL on 13th February 2015 by Daniel Danner= and Rainer Mueller. The fix was developed by Matt Caswell of the OpenSSL deve= lopment team. =20 Segmentation fault in DTLSv1_listen (CVE-2015-0207) =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D =20 Severity: Moderate =20 The DTLSv1_listen function is intended to be stateless and processes the = initial ClientHello from many peers. It is common for user code to loop over the = call to DTLSv1_listen until a valid ClientHello is received with an associated co= okie. A defect in the implementation of DTLSv1_listen means that state is preserv= ed in the SSL object from one invocation to the next that can lead to a segment= ation fault. Errors processing the initial ClientHello can trigger this scenari= o. An example of such an error could be that a DTLS1.0 only client is attemptin= g to connect to a DTLS1.2 only server. =20 This issue affects OpenSSL version: 1.0.2 =20 OpenSSL 1.0.2 DTLS users should upgrade to 1.0.2a. =20 This issue was reported to OpenSSL on 27th January 2015 by Per Allansson.= The fix was developed by Matt Caswell of the OpenSSL development team. =20 Segmentation fault in ASN1_TYPE_cmp (CVE-2015-0286) =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D =20 Severity: Moderate =20 The function ASN1_TYPE_cmp will crash with an invalid read if an attempt = is made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check certificate signature algorithm consistency this can be used to crash any certificate verification operation and exploited in a DoS attack. Any application which performs certificate verification is vulnerable includi= ng OpenSSL clients and servers which enable client authentication. =20 This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and = 0.9.8. =20 OpenSSL 1.0.2 users should upgrade to 1.0.2a OpenSSL 1.0.1 users should upgrade to 1.0.1m. OpenSSL 1.0.0 users should upgrade to 1.0.0r. OpenSSL 0.9.8 users should upgrade to 0.9.8zf. =20 This issue was discovered and fixed by Stephen Henson of the OpenSSL development team. =20 Segmentation fault for invalid PSS parameters (CVE-2015-0208) =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =20 Severity: Moderate =20 The signature verification routines will crash with a NULL pointer dereference if presented with an ASN.1 signature using the RSA PSS algorithm and invalid parameters. Since these routines are used to verify certificate signature algorithms this can be used to crash any certificate verification operation and exploited in a DoS attack. Any application which performs certificate verification is vulnerable includi= ng OpenSSL clients and servers which enable client authentication. =20 This issue affects OpenSSL version: 1.0.2 =20 OpenSSL 1.0.2 users should upgrade to 1.0.2a =20 This issue was was reported to OpenSSL on 31st January 2015 by Brian Carp= enter and a fix developed by Stephen Henson of the OpenSSL development team. =20 ASN.1 structure reuse memory corruption (CVE-2015-0287) =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D =20 Severity: Moderate =20 Reusing a structure in ASN.1 parsing may allow an attacker to cause memory corruption via an invalid write. Such reuse is and has been strongly discouraged and is believed to be rare. =20 Applications that parse structures containing CHOICE or ANY DEFINED BY components may be affected. Certificate parsing (d2i_X509 and related functions) are however not affected. OpenSSL clients and servers are not affected. =20 This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and 0.9.8. =20 OpenSSL 1.0.2 users should upgrade to 1.0.2a OpenSSL 1.0.1 users should upgrade to 1.0.1m. OpenSSL 1.0.0 users should upgrade to 1.0.0r. OpenSSL 0.9.8 users should upgrade to 0.9.8zf. =20 This issue was discovered by Emilia K=C3=83=C2=A4sper and a fix developed= by Stephen Henson of the OpenSSL development team. =20 PKCS7 NULL pointer dereferences (CVE-2015-0289) =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =20 Severity: Moderate =20 The PKCS#7 parsing code does not handle missing outer ContentInfo correct= ly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with missing content and trigger a NULL pointer dereference on parsing. =20 Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or otherwise parse PKCS#7 structures from untrusted sources are affected. OpenSSL clients and servers are not affected. =20 This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and 0.9.8. =20 OpenSSL 1.0.2 users should upgrade to 1.0.2a OpenSSL 1.0.1 users should upgrade to 1.0.1m. OpenSSL 1.0.0 users should upgrade to 1.0.0r. OpenSSL 0.9.8 users should upgrade to 0.9.8zf. =20 This issue was reported to OpenSSL on February 16th 2015 by Michal Zalewski (Google) and a fix developed by Emilia K=C3=83=C2=A4sper of the = OpenSSL development team. =20 Base64 decode (CVE-2015-0292) =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D =20 Severity: Moderate =20 A vulnerability existed in previous versions of OpenSSL related to the processing of base64 encoded data. Any code path that reads base64 data f= rom an untrusted source could be affected (such as the PEM processing routines). Maliciously crafted base 64 data could trigger a segmenation fault or mem= ory corruption. This was addressed in previous versions of OpenSSL but has no= t been included in any security advisory until now. =20 This issue affects OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8. =20 OpenSSL 1.0.1 users should upgrade to 1.0.1h. OpenSSL 1.0.0 users should upgrade to 1.0.0m. OpenSSL 0.9.8 users should upgrade to 0.9.8za. =20 The fix for this issue can be identified by commits d0666f289a (1.0.1), 84fe686173 (1.0.0) and 9febee0272 (0.9.8). This issue was originally repo= rted by Robert Dugal and subsequently by David Ramos. =20 DoS via reachable assert in SSLv2 servers (CVE-2015-0293) =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D =20 Severity: Moderate =20 A malicious client can trigger an OPENSSL_assert (i.e., an abort) in servers that both support SSLv2 and enable export cipher suites by sending a specially crafted SSLv2 CLIENT-MASTER-KEY message. =20 This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and 0.9.8. =20 OpenSSL 1.0.2 users should upgrade to 1.0.2a OpenSSL 1.0.1 users should upgrade to 1.0.1m. OpenSSL 1.0.0 users should upgrade to 1.0.0r. OpenSSL 0.9.8 users should upgrade to 0.9.8zf. =20 This issue was discovered by Sean Burford (Google) and Emilia K=C3=83=C2= =A4sper (OpenSSL development team) in March 2015 and the fix was developed by Emilia K=C3=83=C2=A4sper. =20 Empty CKE with client auth and DHE (CVE-2015-1787) =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =20 Severity: Moderate =20 If client auth is used then a server can seg fault in the event of a DHE ciphersuite being selected and a zero length ClientKeyExchange message be= ing sent by the client. This could be exploited in a DoS attack. =20 This issue affects OpenSSL version: 1.0.2 =20 OpenSSL 1.0.2 users should upgrade to 1.0.2a. =20 This issue was discovered and the fix was developed by Matt Caswell of the OpenSSL development team. =20 Handshake with unseeded PRNG (CVE-2015-0285) =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =20 Severity: Low =20 Under certain conditions an OpenSSL 1.0.2 client can complete a handshake= with an unseeded PRNG. The conditions are: - The client is on a platform where the PRNG has not been seeded automati= cally, and the user has not seeded manually - A protocol specific client method version has been used (i.e. not SSL_client_methodv23) - A ciphersuite is used that does not require additional random data from= the PRNG beyond the initial ClientHello client random (e.g. PSK-RC4-SHA). =20 If the handshake succeeds then the client random that has been used will = have been generated from a PRNG with insufficient entropy and therefore the ou= tput may be predictable. =20 For example using the following command with an unseeded openssl will suc= ceed on an unpatched platform: =20 openssl s_client -psk 1a2b3c4d -tls1_2 -cipher PSK-RC4-SHA =20 This issue affects OpenSSL version: 1.0.2 =20 OpenSSL 1.0.2 users should upgrade to 1.0.2a. =20 This issue was discovered and the fix was developed by Matt Caswell of the OpenSSL development team. =20 Use After Free following d2i_ECPrivatekey error (CVE-2015-0209) =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =20 Severity: Low =20 A malformed EC private key file consumed via the d2i_ECPrivateKey functio= n could cause a use after free condition. This, in turn, could cause a double free in several private key parsing functions (such as d2i_PrivateKey or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption for applications that receive EC private keys from untrusted sources. This scenario is considered rare. =20 This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and = 0.9.8. =20 OpenSSL 1.0.2 users should upgrade to 1.0.2a OpenSSL 1.0.1 users should upgrade to 1.0.1m. OpenSSL 1.0.0 users should upgrade to 1.0.0r. OpenSSL 0.9.8 users should upgrade to 0.9.8zf. =20 This issue was discovered by the BoringSSL project and fixed in their com= mit 517073cd4b. The OpenSSL fix was developed by Matt Caswell of the OpenSSL development team. =20 X509_to_X509_REQ NULL pointer deref (CVE-2015-0288) =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D =20 Severity: Low =20 The function X509_to_X509_REQ will crash with a NULL pointer dereference = if the certificate key is invalid. This function is rarely used in practice. =20 This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and 0.9.8. =20 OpenSSL 1.0.2 users should upgrade to 1.0.2a OpenSSL 1.0.1 users should upgrade to 1.0.1m. OpenSSL 1.0.0 users should upgrade to 1.0.0r. OpenSSL 0.9.8 users should upgrade to 0.9.8zf. =20 This issue was discovered by Brian Carpenter and a fix developed by Steph= en Henson of the OpenSSL development team. =20 Note =3D=3D=3D=3D =20 As per our previous announcements and our Release Strategy (https://www.openssl.org/about/releasestrat.html), support for OpenSSL ve= rsions 1.0.0 and 0.9.8 will cease on 31st December 2015. No security updates for= these releases will be provided after that date. Users of these releases are ad= vised to upgrade. =20 References =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =20 URL for this Security Advisory: https://www.openssl.org/news/secadv_20150319.txt =20 Note: the online version of the advisory may be updated with additional details over time. =20 For details of OpenSSL severity classifications please see: https://www.openssl.org/about/secpolicy.html ----------------------------------------------------------------------- Summary of changes: lfs/openssl | 4 ++-- lfs/openssl-compat | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) Difference in files: diff --git a/lfs/openssl b/lfs/openssl index df068f3..efc7236 100644 --- a/lfs/openssl +++ b/lfs/openssl @@ -24,7 +24,7 @@ =20 include Config =20 -VER =3D 1.0.1k +VER =3D 1.0.1m =20 THISAPP =3D openssl-$(VER) DL_FILE =3D $(THISAPP).tar.gz @@ -51,7 +51,7 @@ objects =3D $(DL_FILE) =20 $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) =20 -$(DL_FILE)_MD5 =3D d4f002bd22a56881340105028842ae1f +$(DL_FILE)_MD5 =3D d143d1555d842a069cb7cc34ba745a06 =20 install : $(TARGET) =20 diff --git a/lfs/openssl-compat b/lfs/openssl-compat index 8e22a34..8206d33 100644 --- a/lfs/openssl-compat +++ b/lfs/openssl-compat @@ -24,7 +24,7 @@ =20 include Config =20 -VER =3D 0.9.8zd +VER =3D 0.9.8zf =20 THISAPP =3D openssl-$(VER) DL_FILE =3D $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects =3D $(DL_FILE) =20 $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) =20 -$(DL_FILE)_MD5 =3D e9b9ee12f2911e1a378e2458d9bfff77 +$(DL_FILE)_MD5 =3D c69a4a679233f7df189e1ad6659511ec =20 install : $(TARGET) =20 hooks/post-receive -- IPFire 2.x development tree --===============7465867351732701131==--